The Expert view: Securing the mobile workforce

29 June 2018
| Author: Shane Richmond

There is little doubt that the security landscape is changing rapidly. Over the last 18 months, said Ali Neil, of Verizon, we have seen ransomware and Wi-Fi network jamming continue to cause problems, while cryptocurrency-mining malware has spread rapidly. Mr Neil told a Business Reporter Breakfast Briefing at the Goring Hotel in London that the arrival of 5G, which will begin next year, would multiply these threats.

Mobility drivers

The shift to mobile working is the result of changes across the enterprise. Workers are demanding greater mobility so they can avoid commuting, work while travelling, at home or at a client’s office.

Companies are equally keen for employees to work outside the office – they increasingly expect employees to be available in the evening and at weekends, so they need to provide systems to make that possible. Getting staff away from their desks means less need for office space, too, which helps organisations to cut costs.

On top of that, customers and partners expect to be able to work with companies remotely. Without systems in place to meet those needs, organisations will lose business and sacrifice working relationships.

People problems

The security issues that come with increasing mobility are mostly familiar; users face the same risks as before but, as their time on devices increases, so does the opportunity for problems. However, there are a couple of issues that are specific to a mobile workforce: first, the risk of leaving the corporate network, picking up malware or similar and then returning to the network; second, the risk from bring your own device (BYOD) schemes.

Dave Harper, from Zscaler, said that companies often have no governance or control over what an employee does with their device outside the corporate network. Consequently, their device could be compromised, perhaps over an unsecure public Wi-Fi network, which could cause problems when they are back on the corporate network.

That risk, said one attendee, can be mitigated to an extent when the device is a company one. He said he was confident that he can make a company device almost as secure off the company network as it is on it. However, he admitted that securing an employee device was very difficult to do.

Some delegates were wary of loading software onto an employee device or monitoring its activity, fearing that this could be seen as a privacy violation. One suggested it might be possible to make the solution appealing by offering employees the same protection on their personal devices as they have at work, but acknowledged that this might not appeal to every employee.

Combined solutions

Technology solutions, such as monitoring tools, can only go so far, attendees felt. Companies must think about where they place responsibility for security behaviour but have to understand that the average employee lacks security knowledge. Placing too much responsibility on them won’t necessarily stop security lapses. And any technology they are expected to use needs to be simple or they will typically work around it.

All attendees agreed that training is vital, though some felt that its value is limited. While some felt that training establishes the benchmark for behaviour, others argued that all meaningful learning is gained through experience anyway, so training should be kept to a minimum. Likewise, processes were viewed as a necessary part of governance but most attendees agreed that very few people would read them.

There is some place for ‘forcing’ people to work in particular ways, especially if the process that forces them is kept in the background. Forcing people to change their passwords every few months, for example, is pointless if they keep swapping insecure passwords. However, forcing them to self-serve when dealing with certain problems can help because it relieves a burden from the company and gives the employee a sense of autonomy.

One attendee said that his team had blocked advertising from their web gateway, so that employees did not see any adverts while browsing. This reduced the risk of them downloading malware from an infected site and improved their experience of using the web.

Summarising the debate, Mr Neil said it was clear that solving the ‘people problem’ is the greatest challenge. Forcing people to adopt good security practice won’t work and, if it is done the wrong way, runs the risk of backfiring entirely. Instead, he said, the solution is a multi-faceted approach to problem solving that will incorporate training, process and technology to improve the situation.

Even then, the nature of human beings means that this will never be a finished task. And as the workforce becomes more mobile, and 5G-enabled, so our efforts will have to increase to match.